-
Notifications
You must be signed in to change notification settings - Fork 22k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Fleshing out Core Security #1121
Comments
I see #1055 is already open talking about removing Cybersecurity Fundamentals from the course. In this comment I'll cover what the course covers so an informed decision can be made. I'll update this comment every week as the new material is released until the audit access expires. The course costs 400 USD (= 0.022 BTC) for full access which means most OSSU students will only be able to do the material released until the audit expiry date. In bold I will mark the topics that were not covered in: Principles of Secure Coding In Italics, I will mark other topics that are covered in the additional resources section. Week 1: Time it took me to complete the main material: 45 minutes. Week 2: Time it took me to complete the main material: 30 minutes. Week 3: Cryptography Basics [in process] Time it took me to complete the main material: 30 minutes. Okay unfortunately I fell sick before I could complete this course and I've lost access now but I had a look at the topics and it looks like most of the topics have been covered in other courses. As such, I support the removal of Cybersecurity Fundamentals from the curriculum. The other big issue with the course is that it's not always available and the materials are released in a very slow way. |
I finished cybersecurity fundamentals recently. It does NOT take close to 80 hours to do for the most part. Each week of 1-4 can be done in less than an hour, just watched the video content and do a total of like 10 very easy basic questions. Even the video content is very short. The content ramps up in week 5 I believe when networking is introduced, the pre-readings for that are where the bulk of the hours go I believe. After a bit of reading I realised it was too much and decided to just watch the videos, and as expected I was just fine. There was little correlation between pre-readings and video content. I'd say at most (and this is a large overestimate) the course took me around 20 hours. |
With only 1 response received and that the case for this RFC being strong - if the academic maintainer @waciumawanjohi agrees with these changes, I am of the opinion that the changes should be made. |
From the first 3 weeks that I did complete, I found that most of the learning material was in the readings. The videos were almost summaries of summaries (20-30 minutes per week). The readings had all the details, examples, and how things worked. I'm not sure if I will call the course completed without the readings as they seemed to form an integral part of the course. |
@riceeatingmachine let's get these changes into the curriculum! Can you open a PR that carries out your suggestions from above? |
Problem:
In this RFC I'll be proposing some changes to core security to make it more streamlined.
Duration:
3 months.
Background:
The Core Security section was provisionally added to the curriculum and then made permanent to fill the needs of the curriculum. Not enough feedback was received presumably because not enough learners finished core security.
I finished the first two courses of Secure coding specialization in core security, some of the third one, and skimmed the 4th one (the third and fourth have a lot of repeat material from the first two).
Aside from the Secure coding specialization, the course Cybersecurity Fundamentals is too long (80-96 hours) and covers material that aren't needed in the core section.
The first two courses of the Secure Coding Specialization:
Principles of Secure Coding
Identifying Security Vulnerabilities
Cover most of the topis we need to cover in IAS/Foundational Concepts in Security, IAS/Principles of Secure Design, IAS/Defensive Programming. They also cover about half of the IAS/Cryptography section, and 70% of the IAS/Web Security (elective) section.
As such, they fulfill the requirements of what we need in core security.
There are a few holes left to be filled in the CS2013 specification, for which we need to take some sections from the the third course of the Secure Coding Specialization (specifically week 3 lesson 8 on race conditions, and week 4 lesson 9 on psuedo random numbers).
For a few basic concepts of security, we need to include Security Governance & Compliance (a short 9 hour course which took me about 6 hours) to cover "CIA (Confidentiality, Integrity, Availability)" and "Concepts of risk, threats, vulnerabilities, and attack vectors" in depth.
In the images below, you'll see the CS2013 requirements and which courses cover those.
We also cover in a whole bunch of elective topics in SE/Software Design and SE/Software Construction:
As such, these three courses cover the topic of core security well:
Principles of Secure Coding
Identifying Security Vulnerabilities
Security Governance & Compliance
Identifying Security Vulnerabilities in C/C++Programming - lesson 8 and lesson 9 only
Proposal:
The prerequisites need to be "Core Programming, Databases, and Networking"
Core programming because there is code, databases for the SQL injection material, and Networking because most of the second course is about networking security.
The text was updated successfully, but these errors were encountered: